A deep dive into the security features of a router
This look at the D-Link DIR-860L router is focused exclusively on security, which probably makes it the first review of its kind.
My last blog, How secure can your router get?, described a checklist of router security features on my RouterSecurity.org site. Here I employ that checklist to evaluate the security aspects of a random router.
Because this review touches on a very large range of topics, by necessity, I can't explain each term or concept. So, although this is geared to Computerworld readers, hopefully those without a networking background can still get something out of it.
There is nothing special about the DIR-860L, I just happened to have access to a new one. It's a dual band router, one of the first to support AC Wi-Fi. It was released in 2013 and currently sells for around $70.
As you can see below it is a vertical cylinder, much like an OnHub router from Google. That said, if you care at all about how your router looks, this blog is not for you.
The 860L ships with a reasonably random Wi-Fi password, although the same password is used for both the 2.4GHz and 5GHz network. There was however, a huge security flaw right off the bat, I was able to login to the router itself without any password at all (the userid defaults to the industry standard "admin").
The setup instructions for every router say to connect it to the Internet. That's not good Defensive Computing. As I wrote on RouterSecurity.org, it's safer to make some initial tweaks with the router off-line.
Specifically, I like to change the router password, the SSIDs, the Wi-Fi passwords and disable WPS before putting a new router online. It's also not unreasonable to disable Wi-Fi altogether, until the latest firmware is installed.
After changing the router password, I like to logoff and back on to verify the new password. The 860L, however, has no logoff button. You exit the web interface by closing the browser tab/window. I had only seen this once before, so it wasn't on my security checklist. It is now. I also like a router to force me off as soon as the password is changed. The 860L did not.
On the upside, the 860L lets you change the WPS PIN code, which is safer than leaving the default code (which anyone can see on the bottom label). I changed the code a few times, then disabled WPS. Both an Android and a Windows app confirmed that WPS was really off.
The first time I place a new router online, it's behind an existing router. This is both safer and easier. The new router thinks its public IP address is one that the existing router gave it, normally something in the 192.168.x.x range.
My first online task is checking for new firmware.
The 860L displays the current firmware version in the top right corner of every web page, along with the hardware version. The routers own check for new firmware (below) said that it was already running the latest edition (version 1.08 from March 3, 2014). Experience has taught me not to trust this, so I went to support.dlink.com and searched for DIR-860L. Nothing. Not even an acknowledgement that the model existed. The link in the screenshot below was useless, it just went to support.dlink.com.
Before getting to this point, however, you have to provide the hardware level of the router. The website offers a choice of A or B. The router in front of me was A1. How hard is it for a company to match these things up? Apparently, too hard for D-Link.
Also, while the firmware in most places is shown as 1.08, in one place it is described as 1.08.B02. Is that the same as 1.08 or are there multiple versions of 1.08? D-Link customers have to figure this out for themselves. Then too, version 1.08 is shown with three different dates in three different places.
Is it any wonder that many people don't update their router firmware? Springing for one of the few routers that self-update, may be money well spent.
Done with the firmware, I next like to change the router to use a unpopular subnet, something like 192.168.88.x or 10.11.12.x. This provides protection from a whole class of attacks. The 860L handled the subnet conversion fine.
Next, its time to lock down access to the router.
There is no documentation in the 860L about acceptable router passwords. It took both a short 3 character password (bad) and a long 17 character one (good).
The 860L does a great job defending itself against brute force password guessing. After entering about a dozen wrong passwords, a CAPTCHA was added to the login page (above). Changing browsers did not remove the CAPTCHA.
Logging on to the router from the LAN side is referred to as Local Administration. The 860L supports secure HTTPS for this, but it can't disable HTTP access. Also, HTTPS is only supported on the standard port, 443, you can't configure a more secure alternate. Secure routers can be locked down such local access requires a URL like
Other common options to lock down local access are to limit router logons by MAC address, IP address or to just Ethernet connected devices. The 860L supports none of these. It also let me logon to the router from two different browsers concurrently.
The ability to logon to the router from the Internet is called Remote Management on the 860L. By default it is off, as it should be. This too, supports HTTPS, but unlike the LAN side, you can specify an alternate port (the default is 8090).
The security for remote access is much stronger than on the LAN side. For one, if you enable HTTPS, then remote HTTP access is blocked. You can also use IP filtering to limit remote access by source IP addresses. Filtering rules are given names and they can also be applied to port forwarding.
Another nice security feature is the ability to schedule Wi-Fi. Schedules are also given names and each wireless network can be assigned to a different schedule. Schedules too, can be applied to port forwarding rules. Note that if a Wi-Fi network is off because of the schedule, the main status page of the router still reports that the wireless radio is enabled.
There is no Wi-Fi on/off button, so if you are not using a schedule and want to turn off the Wi-Fi, you have to login to the router.
Needless to say, everyone should use WPA2 encryption. When you select WPA2 for the main networks, the 860L forces the use of AES, which is good. However, when you select WPA2 for a guest network, the router still offers the less secure TKIP option alongside AES.
The 860L can create two Guest networks, one on each frequency band. Both are off by default. The Guest networks can be scheduled, which is a great feature. For example, if someone will be visiting on Tuesday afternoon, then, on Monday, you can schedule the Guest network to wake up in the late morning on Tuesday and turn itself off that night.
The Guest networks are normal networks, the 860L does not use a captive portal. There are no bandwidth limits on guests and no limit on how long a user can be logged on as a guest.
There are two security options to look for with any Guest network: can guests be isolated from the main network and can they be isolated from each other. The goal being to allow guests to access the Internet, but nothing else.
One router that handles this in a simple, clear way is the TP-LINK Archer C8, shown below. It also offers bandwidth control of guest users.
It seems that the 860L offers the first feature only.
Guest networks on the 860L have an option called "Routing Between Zones" which is off by default. D-Link describes this as "Use this section to enable routing between Host Zone and Guest Zone, Guest clients cannot access Host clients' data without enabling this function." I am assuming this would prevent a guest user from printing on a network printer, but I did not test it.
I did find a quirk with the Guest networks on the 860L. After I enabled the 5GHz Guest network it didn't appear in any network scans. It seems that the 5GHz Guest network will not exist unless the main 5GHz network is active. There was no documentation on this.
The router only supports a single userid, "admin". The documentation says there is another userid called "user" but that's not the case. You can create userids and passwords, but only for the file sharing feature, not for access to the router itself.
Port forwarding has excellent security. Access to a port can be limited by source IP address and can also be scheduled.
into a web browser, where 22.214.171.124 is the LAN side IP address of the router. If the browser displays a page full of technical information, HNAP is supported. If you get an error, it is not.
MAC address filtering is poorly done. For starters, there is no documentation on the required format for entering MAC addresses. More importantly, the filtering applies to the router as a whole, rather than to individual networks. You also can not assign friendly names to the MAC addresses.
I looked into whether the router can block outbound access to a specific IP address. There are a couple reasons you might want to do this, blocking access to a modem is one that I wrote about back in February. More recently, it came to light that some Visio TVs are watching you as you watch them.
The feature that blocks or restricts LAN devices from accessing the Internet is called Access Control by the 860L. The restrictions can include a schedule, so it can knock kids off-line at bedtime.
The feature works, I used it to block my access to an external IP address, but the interface is confusing.
The two blocking options are a "web filter" and a "port filter", both names are mis-leading. The web filter is actually a log of web access. So, if you want to see where your Smart TV is sending data about your viewing habits, this can be very useful. However, it generates a ton of data, so it may be of less value for watching what children do online. As shown below, one web page can fill up many pages in the log.
The port filter is where you can limit access by IP address (and by port numbers).
It's not clear if any of the outbound IP restrictions can apply to the entire LAN. There is an option called "Other Machines" but the meaning of it wasn't clear and I didn't bother testing. Changes to the Access Control rules required re-booting the router, fortunately this seemed to be the only function that required a reboot.
The only supported DDNS providers are DYN and a free D-Link service. DDNS data can be reported either securely or in plain text. I did not test if the 860L uses encryption when it reports its public IP address to a DDNS provider.
The ability of the 860L to monitor and report on attached devices is about average (granted this is a matter of opinion). There are no reports on bandwidth usage but the Internet Sessions feature can show all the Internet connections a given device currently has.
Below is a screen shot of the sessions on my Windows 7 computer (IP address 192.168.84.100) at a time when the only browser connection was the router itself. Considering it was about 30 seconds after all other browsers were closed, the machine was still pretty chatty. The four outbound UDP connections on port 443 (HTTPS) are a mystery.
The 860L has an option called WLAN Partition that is off by default. Beats me what this does.
The router says it "allows you to segment your Wireless network by managing access to both the internal station and Ethernet access to your WLAN". The User Guide says it "enables 802.11d operation. 802.11d is a wireless specification developed to allow implementation of wireless networks in countries that cannot use the 802.11 standard. This feature should only be enabled if you are in a country that requires it." On a D-Link forum, a user asking for help cited this definition: "Enabling WLAN Partition prevents associated wireless clients from communicating with each other." On another D-Link site I found a fourth definition and gave up at that point.
The 860L remotely shares files using a feature called Web File Access. The documentation says it "allows you to use a web browser to remotely access files stored on a USB storage drive plugged into the router." There is some security, in that it supports HTTPS access on a user-specified arbitrary port. Also, the Admin router account can create file access accounts with some limitations on the files these other users can see. Web File Access was on by default but it can be easily disabled.
As for logging, there are three types of logs: System, Firewall & Security and Router Status. The types of events written to each log are not explained. You can easily save the logs to your computer.
iPhones and iPads running iOS 9 can have the lock screen passcode bypassed thanks to exploiting...
Abbott Labs, a global healthcare company, is laying off about 180 IT employees after inking an...
A Computer Sciences Corp. spokesman, however, says the 500 layoffs are due to "the normal course of...
It's been a year since Windows 10 arrived. Executive News Editor Ken Mingis talks with Windows expert...
Donald Trump’s muddled stance on hacking has disturbed security experts at time when the tech industry...
Beer pong, sexy schoolgirls and racist rants: A string of marketing and recruiting missteps suggests...